Americans of all ages, all stations of life, and all types of disposition are forever forming associations… In democratic countries knowledge of how to combine is the mother of all other forms of knowledge; on its progress depends that of all the others.

This may sound philosophical, and we’ve blogged about this before, but it’s important for associations to remember just how much power they have. And with power comes great responsibility.

YOUR ASSOCIATION IS A HACKER TARGET

Why? Because it’s logical.

If you were a dictator in a country that had sanctions against it, I dunno, maybe they didn’t allow US Companies to help you drill for your oil reserves and you lacked the technology to do it yourself, wouldn’t it make sense to go after an association of accomplished professionals in that area?

Security Alerts with IP addresses (listed as) St. Petersburg Targeting Associations. NOTE: IP Addresses are easy to fake so it could be a false positive.

A story for y’all. I was talking to a client who had a Tendenci Open Source AMS site for a group of students at universities in the liberal arts. He said

“nobody is going after English majors“.

“Oh really?” I asked.

Then I asked If any of his students attended X University (really I could have picked any University). He said “yes.” I pointed out that exact University also has extensive Chemistry, Energy and Engineering programs that do cutting edge work.

My point was if you can do spear phishing on a student to get closer to an Engineering Professor with expertise in Directional Drilling, wouldn’t Russia be interested in that? Would North Korea be interested in obtaining information on the latest tech in chemistry? Of course they would.

My point was simply that if you can infect the computer or phone of one student, any student, then you can get into the network. And then move laterally. You are in.

Again – to the POWER of ASSOCIATIONS:

Americans combine to give fêtes, found seminaries, build churches, distribute books, and send missionaries to the antipodes. Hospitals, prisons, and schools take shape in that way. Finally, if they want to proclaim a truth or propagate some feeling by the encouragement of a great example, they form an association. In every case, at the head of any new undertaking, where in France you would find the government or in England some territorial magnate, in the United States you are sure to find an association. I have come across several types of association in America of which, I confess, I had not previously the slightest conception, and I have often admired the extreme skill they show in proposing a common object for the exertions of very many and in inducing them voluntarily to pursue it.

This is not to scare users of any association management software. It is pointing out facts and hopefully increasing awareness among NGO technology professionals, association executives, association leadership and in fact (hopefully) the whole country, that there is a serious vulnerability if not addressed seriously.

Mac users, particularly in academia or the biomedical or academic field. Be aware of the Fruitfly/Quimitchin malware. It includes a keystroke logger, accesses your cam, takes screenshots of your desktop frequently which are then uploaded, and more. What to do:

Put a sticker over your camera when not in use. I am a member of EFF and put one of their stickers over your camera.

Install an antivirus like Avira Antivirus for Mac (only from official site or app store). If you can afford it, support them by buying their products.

Install Malwarebytes or a similar anti-malware program (only from official site or app store)

Use different passwords on different sites. Variations on a password like “Smoking Chair Hat5!” is far better than “zds9bhy4@”. It’s just statistics, you won’t use the second one because you can’t remember it. Just change the first one a bit every time for each site. Password crackers can’t “partially” crack a password. Plus we use Rainbow tables anyway.

Remember, if you have a keystroke logger installed, then how complex your password is, well, irrelevant. Therefore first clean the computer. Don’t think Macs or Linux can’t be infected – they can and frequently ARE.

WASHINGTON (Reuters) – Former Yahoo Chief Executive Marissa Mayer apologized on Wednesday for two massive data breaches at the internet company, blaming Russian agents for at least one of them, at a hearing on the growing number of cyber attacks on major U.S. companies.

Having spent the majority of the last three years doing almost exclusively InfoSec and Security on the Tendenci SaaS Cloud, not by choice but out of necessity, I do feel a bit of vindication as they confirm the facts. This is DATA people. Not opinion. I see it every day.

Tendenci has always kept logs, but never before have we had to have three (and sometimes four) sets of logs kept in different locations. Log verification, audit, cross references, searching through millions of logs DAILY. Just the expense … it’s frustrating for us in the security community for several reasons:

We can’t talk fully openly about it for confidentiality reasons

We sound kra-kra.

When we do, everyone thinks we are crazy and it’s a conspiracy theory.

It turns out reality is like an idiom, what everyone initially thought was wrong and like so many other things, people get silenced. That shit Cray . Oh, and that reference doesn’t mean what you think it means either. Because Jay-Z is smart as f*ck and he is making a damn point.

Now for the punchline – They’ve documented that Kaspersky, a Russian company close to Putin, was hacked by Israel. Kaspersky security researchers have confirmed the NSA hacking tools existence when they discovered it in the spring of 2014. The article;

In a statement, the company (Kaspersky) said it stumbled on the (NSA) code a year earlier than the recent newspaper reports had it (ed: Comey stated summer 2015), in 2014. It said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious.

And it further states, again from the article:

Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.

Kaspersky later responded via email to a question by Reuters to confirm that the company had first discovered the so-called Equation Group programs in the spring of 2014.

So a Russian antivirus software found a zip file with NSA hacking tools in 2014. Hacking tools that target Microsoft and other business software, again, in the Spring of 2014. Confirmed by Israeli Security researchers who hacked Kaspersky.

Now, what they found was a compressed, portable, easily emailed or traded via email even as nobody else had the signatures to detect. A zip file.

A zip file.

For those unfamiliar with the industry, by the time an exploit is being traded in a 7 z it’s long been in the wild. That is the commodity phase of the economic curve.

The economics of the dark web have been researched and are well documented (hint: look at DEFCON and Blackhat presos from a few years back.)

If you are a reporter or security researcher – keep digging. Basic economics say it had to have been being traded early 2013 for high bids with a quick pricing decline as is typical with shrink wrap software.

It remained unpatched. Every company using common business software was, and probably still is, an open book. A trivial metasploit script and your movies, your directional drilling tech, your seismic data, patents, medical history, your porn habit, email, fb, you name it, was and probably still is wide open.

Bottom line: My opinin is the timeline of the NSA hacking tools being released is 2013. If not earlier. (But I’ll stick with my mid-2013 estimated release to the wildebeasts estimate.) NSA let them into the wild as discovered by Russians (current media puts this at 2014) who were then hacked by our allies Israel. Israel then reported this to the US.

And we did nothing. Think about it.

Just add that up and you get Russia hacking US companies and associations using our own tools paid for by YOU. NSA hacking tools discovered and reported to the US by our allies in Israel. 2014 or earlier.

What did NOT happen was responsible reporting to vendors like Microsoft who only patched it when the Shadow Brokers released it on github in 2017. Thus from 2014 (or earlier), our allies, our foes, and our own security agencies did nothing to protect US intellectual property, infrastructure, companies, jobs, and people.

Noodle that one.

…. this story will continue to unfold. And if you are an investigative journalist, maybe ask around the community politely regarding who’s zoo had the code and when.

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money. It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

James Comey Testimony on Russian Hacking Includes Acknowledgement of Russians Specifically targeting NGOs and Nonprofits

Growing Tendenci – The Open Source AMS, has been eye opening. I didn’t realize fully why our clients were constantly being attacked. Even behind all of our firewalls, scanners, ACLs, malware, rootkit detection, antivirus, third party scanners, multifactor, use of Honeypots, we don’t store credit cards, and then still even more custom security measures we’ve developed in house.

I mean seriously, it’s not like you’re going to scan a site we host and not have it logged and inspected and blocked aggressively when possible. Nothing is hack proof obviously. But our security practices are FAR beyond the norm.

I didn’t have the luxury of questioning the motive. We do.

When necessary, we have engaged authorities for assistance. So it was interesting to see this from former FBI Director James Comey’s testimony:

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

BURR: And in that time frame, there were more than the DNC and the D triple C that were targets?

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Let me repeat that last part for emphasis in case anyone who works with Associations and Non Profits needs some ammo to take back to their board about why they can’t host for $10 a month on a cheap hosting site.

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Those words should weigh heavily on people in the NPO/NGO sector. It is worthy of mention to everyone using an AMS system. To be secure, you need to be able to inspect your own code if you host with us or somewhere else. Please do so with Tendenci at https://github.com/tendenci/tendenci/ . Security is a process, not a magic pill.

The motives for these attempted hacks are above my pay grade. Just know if you feel you are being targeted, well, it isn’t paranoia if they really are out to get you. And they really are out to get you.

And please don’t click that link in your email. Please. Just don’t do it.

Stay vigilant my friends.

PS – two other facts I can add. I can personally confirm it was in the hundreds just based on our client base. This does NOT mean they breached, but targeted? Yes. And second, by my estimations it started in earnest in 2013, not 2015.

PPS – and now we start the count down before they take my blog offline with DDOS again. Whoever “they” is. All I see is a matrix at this point… and I’m ok with that oddly enough. Because if the Zombie apocalypse is real in downtown SF, then everything else is possible too.

Disclaimer: This post is NOT about the President. Or about former FBI Director Comey’s testimony as it relates to our elected Zombies on both sides who vote party over the people they represent. No, this post is about a small part of Comey’s testimony that relates to Associations and Nonprofits. It applies if they use Tendenci or not. Whatever the motive of the Russian hackers, the fact is that associations and nonprofits are being singled out for attacks. This is a fact of your current reality.

Install an SSL certificate on your web site. These can be purchased from a number of sources like godaddy, free but short lived ones are available from letsencrypt. Or you can get really serious about it and work with a security professional like my friend Jason Palmer http://www.jasonpalmer.com/ .